New Variant of Mac Flashback Trojan Appears

Security researchers are reporting the emergence of another variant of the Flashback Trojan targeting Mac machines.

According to Intego, the new variant continues to use a patched Java vulnerability to infect users. No password is required for it to install, and it places files in the victim’s home folder at the following concerns:

• ~/Library/LaunchAgents/com.java.update.plist

• ~/.jupdate

“It then deletes all files and folders in ~/Library/Caches/Java/cache in order to delete the applet from the infected Mac, and avoid detection or sample recovery,” the company said. “Intego has several samples of this new Flashback variant, which is actively being distributed in the wild.”

Just last week, researchers at Symantec claimed the number of Macs infected with Flashback had dropped to 140,000. Since then however, the company has revised its number to put it at more than 600,000 – roughly the same as when the botnet’s existence became widely publicized more than two weeks ago.

According to Kaspersky Lab, compromised WordPress sites played a key role in spreading the malware, as they were hosting code that redirected visitors to a malicious server.

“The use of exploits to distribute Flashfake was first detected in February 2012; exploits dating back to 2008 and 2011 were used in those attacks,” Kurt Baumgartner, senior security researcher at Kaspersky Lab, blogged April 19. “Exploitation of the CVE2012-0507 vulnerability was first reported in March 2012. At that point, it was a vulnerability in Mac OS X that remained unpatched, despite the fact that Oracle had released a patch for it in February. This was because Apple never uses patches from Oracle and creates its own patches to close Java vulnerabilities…This practice of releasing patches with delays of about two months is traditional for Apple.”

This same vulnerability has been spotted by Symantec being leveraged by another piece of malware referred to as Trojan.Maljava that is targeting both Mac and Windows computers.

“When a victim loads the Java Applet malware, it breaks the Java Applet sandbox by using the CVE-2012-0507 vulnerability,” blogged Takashi Katsuki, threat analyst with Symantec Security Response. “This vulnerability is effective for both Mac and Windows operating systems. Then, if the threat is running on a Mac operating system, it downloads a dropper type malware written in Python. However, if the threat is running on a Windows operating system, it downloads a standard Windows executable file dropper. Both droppers drop a Trojan horse program that opens a back door on the compromised computer.”

Ironically, much of the malware on Macintosh computers appears to be targeting Windows, according to a new report by Sophos. One in five of the 100,000 Mac computers the company analyzed were infected with at least one piece of Windows malware. Just one in 36 was infected with malware intended for Mac OS X.

While Windows malware won’t cause any problems on Macs that are not also running Windows on the same system, the malware can still be spread to other computers via USB memory sticks and other means.

“Some Apple fans might feel relieved that they are seven times more likely to have Windows malware on their Macs than Mac OS X-specific threats, but they shouldn't be,” argued Graham Cluley, senior technology consultant at Sophos. “What Mac users really need to do is protect their computers now…or risk allowing the malware problem on Macs to become as big as the problem on PCs in the future.”